NIST SP 800-137

From: SearchCompliance

In this four-part SearchCompliance webcast, Dr. Ron Ross, a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST), joins Theresa M. Grafenstine, inspector general of the U.S. House of Representatives, to discuss cybersecurity strategy best practices for both the public and private sector. In the concluding segment, Grafenstine and Ross continue their discussion on cybersecurity controls and provide additional tips to mitigate cyber-risk.

Theresa Grafenstine: So, we relied on our organizations to focus more on strategic risk, we built our risk management framework, we deployed a defense-in-depth strategy. What’s next?

From: InformationWeek/Government

The Obama administration issues new guidelines for continuous monitoring programs to bolster information security.

The Office of Management and Budget (OMB) has directed the heads of all federal departments and agencies to implement measures to safeguard federal information systems and the information they process and store.

Among other measures, the OMB has made cybersecurity one of 14 cross-agency performance priority goals that agencies are responsible for achieving. And the memo to federal agencies provides guidelines for managing information security risks through continuous monitoring processes established by the National Institute of Standards and Technology.

Editor’s Note: OMB Memorandum M-14-03, “Enhancing the Security of Federal Information and Information Systems,” is attached here.

From: FierceGovernmentIT

By David Perera

Agency cybersecurity practices should move beyond the three year cycle of  system authorizations into a state of continuous monitoring of security control  implementation by the end of fiscal 2017, says a Nov. 18 memo from the Office of  Management and Budget.

The memo  (.pdf), applicable to non-national security systems, calls on agencies to  develop a security control continuous monitoring strategy by the end of February  in cooperation with the Homeland Security Department.

From: FCW

By Mark  Rockwell

The Department of Homeland Security has transitioned to a new information assurance architecture manager that will allow it to more easily manage network risk across its multitude of operations.

The framework, Telos’ Xacta IA Manager, allows enterprise-wide information assurance compliance, monitors and tracks access, creates plans of action and milestones, and controls assessments and ongoing authorizations.

“We have implemented common controls across the entire enterprise,” said Richard Johnson, DHS’s branch chief for technical implementation.

The deployment, which has been operational since September, includes all 22 department components.

From: OODA LOOP

Added by Joshua Sinai

Introduction

The threat of “insiders” in positions of trust with access to critical aspects of an organization’s Information Technology (IT) infrastructure, whether government, military, or private sector, to intentionally compromise and sabotage their secrets or proprietary information has become one of the paramount threats facing national security and critical infrastructure since the rise of the internet in the mid-1980s. One reason for the increase in this threat is the massive and exponential explosion of availability of proprietary or classified information within organizations. A second key risk factor is the relative ease of access by “trusted” IT professionals who operate in these “secure” environments, ranging from data entry clerks to IT network administrators.

From: FCW

By Amber Corrin

All too often, an organization’s focus on cybersecurity looks outward to external threats, solutions and guidance. But the real problem might not only be inside, but within the organizational structures that comprise an agency’s operations writ large.

While the insider threat is a hot topic and a very real concern, it is the division between internal teams – specifically the IT and information security operations teams — which can allow the opportunity for insiders to go bad. Combined with a lack of awareness or support at the top, the fractured approach can equal a cracked cybersecurity foundation.